Violating Your E-Policies Can be a Federal Crime

If you’re worried that an employee or ex-employee will break into your computer network and damage the company, a new court ruling gives you new teeth to enforce your policy … and it gives employees something to think about before committing e-sabotage...

Case in Point: The Computer Fraud and Abuse Act (CFAA) is a federal law aimed at protecting confidential company information. An employee can be punished if he “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” (18 U.S.C. § 1030(a)(4)

The government used the CFAA to bring criminal charges against David Nosal, who worked as a high-level executive at Korn/Ferry International, a global executive search firm.

Nosal worked at Korn/Ferry for eight years. When he left, he signed a one-year noncompete agreement and became an independent contractor. However, after leaving he allegedly enlisted three Korn/Ferry employees to help him open his own competing executive search firm. The employees used their secret login codes to gain access to restricted databases. Once there, they downloaded, copied and duplicated the proprietary data, then gave it to Nosal.

Korn/Ferry had a clear computer usage and network policy. It assigned unique login credentials to employees and controlled physical access to the servers. Employees were also required to sign agreements relating to the procedures for handling confidential information.

Nosal and one of the employees were indicted under the CFAA for exceeding authorized access to a computer network. Nosal tried to get the CFAA claims dismissed, but the court rejected his defense, saying he can be prosecuted under the CFAA.

The court said the employees at Korn/Ferry, “were subject to a computer use policy that placed clear and conspicuous restrictions on the employees' access both to the system in general and to the [compromised] database in particular.” (United States v. Nosal, 9th Cir., No. 10-10038, 4/28/11)

3 Lessons Learned…Without Going to Court

1. Have a Network Policy. Without a policy, the court said, the company couldn’t argue there was a breach of it.

2. Monitor Computer Usage. It will help you spot red flags, such as downloading databases, so there can be an immediate intervention to stop it.

3. Protect Proprietary Information Like the Crown Jewels. The court really liked all the electronic reminders, written agreements and distributed policies that Korn/Ferry had in place to protect the confidential information. Whose watching your crown jewels?

Go ahead! Free up storage, save precious office “real estate” and throw out 13 categories of personnel records cluttering up your files. Personnel Records: What to Keep, What to Tossshows you how to do it – efficiently, effectively and without violating any of the wildly different retention regulations.

Caution: The combination of different retention periods, different requirements for all 13 categories of personnel records, Labor Department audits, aggressive FTC enforcement and disgruntled employees means even small mistakes can blow up into class-action lawsuits. Unless you have a system.

Tomorrow's Training:

Your employee handbook can be an invaluable organizational tool … or an employment lawsuit waiting to happen. And in recent years, Congress and state legislatures have been busy enacting laws that directly affect your employee handbook. If you haven't kept up, you could find yourself in court....Click here to find out more.